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DETAILED ACTION 

1 . This Office action is in response to the amendment filed on 5/1 8/1 0 

2. Claims 1-6, 8, 11-25, 27 and 28 are pending. 

Priority 

3. It is noted that the instant application is a continuation in part to application 

1 065021 1 . The parent application does not disclose any embodiments that feature all 
limitations of each of the instant claims. For example, none of a forward proxy, reverse 
proxy and/or transparent proxy are identified as embodiments in the earlier application. 
Hence, the priority date with respect to the prior art for the instant claims of this 
application is the filing date of the instant application. See amended specification filed 
on 1/21/09. 

Claim Interpretation 

4. With respect to the new limitation of claim 1 ("the remote site delegates data 
vending on behalf of the remote site to be managed and distributed by the local 
managing service from within the local processing environment of the client and the 
local managing service presents itself to the client as the remote site"), the following 
disclosure on pg. 7 of Applicant's specification is deemed pertinent: 

Thus, when the proxy 102 detects that a client 101 is attempting to establish secure 
communications with a remote site 120 that is associated with a particular local managing 
service 103, the proxy 102 passes the client 101 request for 10 communication along to 
the particular local managing service 103. The local managing service 103 is trusted by 
the remote site 120, this means that the remote site 120 may house the identity of the 
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local managing service 103 in one of its trusted data stores which identifies trusted 
parties. The remote site 120 also recognizes communications with the local managing 
service 103 as being secure. 15 Similarly, the local managing service 103 recognizes and 
trusts the remote site 120. Thus, the remote site 120 delegates its authority to the local 
managing service 103 to vend some of its data on behalf of it within the local networking 
environment of the client 101 . 

One technigue for doing this is to provide a digital certificate of the remote 20 site 120 to 
the local managing service 103. Typically, the remote site 120 provides certificates to 
trusted parties for purposes of decrypting its data communications. The remote site 120 
may also provide an encryption key to the local managing service 103. The encryption 
key is what the remote site 120 personally uses to encrypt its data communications for 
purposes of secure communications with a 25 trusted party. Armed with the certificate 
and/or encryption key, the local managing service 103 can present itself to the client 101 
within the client's local computing environment as if the local managing service 103 were 
in fact the remote site 120. 

Once the proxy 102 and the local managing service 103 are properly configured within 
the client's local computing environment, data can be managed 30 and accelerated by 
the local managing service 103 on behalf of the remote site 120 
in the following manners. 



Response to Arguments 

5. Applicant's arguments with respect to the amended claims have been considered 
but are moot in view of the new rejections under Boneh and Aziz et al. US 6,643,701 . 



Double Patenting 

6. The nonstatutory double patenting rejection is based on a judicially created 
doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the 
unjustified or improper timewise extension of the "right to exclude" granted by a patent 
and to prevent possible harassment by multiple assignees. A nonstatutory 
obviousness-type double patenting rejection is appropriate where the conflicting claims 
are not identical, but at least one examined application claim is not patentably distinct 
from the reference claim(s) because the examined application claim is either anticipated 
by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 
F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 
USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 
1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, All 
F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 
USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1 .321 (c) or 1 .321 (d) 
may be used to overcome an actual or provisional rejection based on a nonstatutory 
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double patenting ground provided the conflicting application or patent either is shown to 
be commonly owned with this application, or claims an invention made as a result of 
activities undertaken within the scope of a joint research agreement. 

Effective January 1 , 1994, a registered attorney or agent of record may sign a 
terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 
37 CFR 3.73(b). 



7. Claims 1-6, 8, 10-25, 27 and 28 are provisionally rejected on the ground of 
nonstatutory obviousness-type double patenting as being unpatentable over claims 1 , 3- 
15, 17-22 and 24-26 of copending Application No. 10814983. Although the conflicting 
claims are not identical, they are not patentably distinct from each other because the 
subject matter of the instant claims are defined in claims 1 , 3-1 5, 1 7-22 and 24-26 of 
copending Application No. 10814983. 

This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 



Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

9. Claims 1 -6, 8, 1 1 -25, 27 and 28 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Boneh et al. US 20040015725 (hereinafter Boneh) in view of Aziz et 
al. US 6,643,701 (hereinafter Aziz). 
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10. As per claims 1-6, Boneh discloses a method for managing and accelerating the 
delivery of data implemented in a computer-readable storage medium and processed 
on a proxy device for performing the method, comprising: 

a. receiving a secure communications request for data associated with a 
remote site, wherein the request is received from a client and the secure 
communications request occurs via Secure Socket Layer (SSL) communications 
with the client (paragraph 26) and wherein the request is received at a forward 
proxy that processes within a local processing environment of the client (fig. 4; 
paragraph 36, browser first sends a message CONNECT www.xyz.com to the 
web proxy; compare with paragraph 47, where no CONNECT messages is pre- 
appended); and 

b. passing the request to a local managing service for processing acting as 
the forward proxy for the client, wherein the local managing service is capable of 
caching the data for servicing the secure communications request of the client 
within the local processing environment of the client and capable of securely 
interfacing with the remote site (paragraphs 34-42; client sends the connect 
request message to the web proxy; proxy performs caching on decrypted 
response); 

c. the local managing service houses an identity for the remote site and local 
managing service is trusted by the remote site and the remote site delegates 
authority to the local managing service to vend data of the remote sites within the 
local processing environment of the client (paragraph 41 , web proxy creates a 
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TLS session to the site www.xyz.com ; TLS session establishment entails 
certificate exchange and verification between the web proxy and the remote site; 
see also pg. 7, lines 13-18 of the instant specification); 

d. creating, by the local proxy device, a secure communications tunnel 
between the client and the local managing service (paragraph 40, TLS session 
between the client and the web proxy; see for example paragraph 12 for TLS 
session generation); and 

e. creating, by the proxy device, another secure communications tunnel 
between the local managing service and the remote site (paragraph 41 , web 
proxy creates a TLS session with the site www.xyz.com); 

f. determining, by the local managing service, when the secure 
communications request can be satisfied with cached data; and supplying the 
data from the cached data to the client with secure communications, when 
present in cache; requesting, by the local managing service, the data from the 
remote site if the data is not in the cache; receiving the data from the remote site; 
and supplying the data to the client with secure communications; housing the 
data in the cache for subsequent requests made by the client or other clients for 
the data, when the data is permitted to be cached (paragraph 42, all features are 
inherent in caching services); 

g. maintaining, by the local managing service, a certificate associated with 
communications from the remote site (paragraph 41); 
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h. transmitting, by the local managing service, to the remote site a first 
certificate associated with the identity of the local managing service; 
receiving, from the remote site, at the local managing service a second certificate 
associated with the identity of the remote site; and communicating between the 
remote site and the local managing service with Secure Sockets Layer (SSL) 
communications using the first and second certificates (paragraph 41). 

1 1 . Furthermore Boneh discloses that the web proxy presents itself to the client as 
the remote site by generating a server certificate at the web proxy and communicating 
the certificate to the user client. Secure communications between the client and the 
web proxy is established using the key inserted into the certificate (paragraph 45, "the 
browser is configured to accept this proxy-server certificate, the web proxy successfully 
binds the destination server name (www.xyz.com) to the proxy-generated proxy session 
public key, allowing the proxy to thereafter masquerade as the destination server 
www.xyz.com") 

12. Boneh does not expressly disclose that the local service acts as a reverse proxy 
on behalf of the remote site from the local environment of the client, whereby the remote 
site delegates data vending on behalf of the remote site to be managed and distributed 
by the local managing service from within the local processing environment of the client. 
Aziz discloses a method and apparatus for providing secure communications between a 
client and a server. When the client desires to establish a secure connection with the 
remote server, a first secure communication is established between the client and a 
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relay, and a second secure communication is then established between the relay and 

the server. In particular, on col. 5, lines 1-22 and col. 8, lines 13-32, Aziz discloses 

Information stored on relay 220 is used to create the secure connection. 
When a server wishes to obtain advantages of the present invention in a 
manner that could be transparent to client 200, server 240 will have a trust 
relationship with (that is, be controlled by or even be owned by the same 
entity as) relay 220. Therefore, server 240 will share its private key and 
certificate with relay 220 . When a client wishes to obtain advantages of 
the present invention in a manner that could be transparent to server 240, 
client 200 will have a trust relationship with relay 220, and client 200 will, 
e.g., accept the certificate of relay 220 as that of server 240 and provide 
an authentication token of client 200 to relay 220. Thereby, relay 220 may 
be inserted without access to the server's keys. This architecture could, 
for example, assist a programmer in diagnosing problems with a client's 
application that communicates with an HTTPS server (by convention a 
secure server address is given the prefix "https://") even when the server 
would not provide the programmer with access to the server's keys. When 
both client 200 and server 240 wish to achieve the advantages of the 
present invention in a manner known to each entity, each will provide 
appropriate information to relay 220. ... 

...Because relays 320 are trusted by server 340, server 340 provides each 
relay 320 with its security certificate and with its public and private key pair 
for use in an encryption/decryption process (step 910). Either prior to 
during, or in response to a client request for information from server 340, 
the secure connection program of relay 320 and the secure connection 
program of server 340 create an end-to-end security link 330 using a 
handshaking session (step 920). For example, using SSL, this link is 
established following a handshaking session similar to that described with 
regard to FIG. 1. For enhanced security, each end point (relay and 
server) authenticates one another using the relay's certificate and 
private/public key pair and the server's certificate and private/public key 
pair. The secure connection program of relay 320 and the secure 
connection program of server 340 could also create link 330 following a 
refresh handshaking session that occurs after an initial handshaking 
session. The refresh handshaking session could occur at a 
predetermined period based on an elapse of a predetermined time, 
transfer of a predetermined amount of information, etc. to provide 
replacement session keys and, thus, increased security. 
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1 3. It would be obvious to one of ordinary skill in the art at the time the invention was 
made to modify the invention of Boneh such that that the web proxy acts as a reverse 
proxy on behalf of the remote site from the local environment of the client, whereby the 
remote site delegates data vending on behalf of the remote site to be managed and 
distributed by the local managing service from within the local processing environment 
of the client. One would be motivated to do so to avoid performing intensive processing 
tasks such as generating private keys and digital certificates at a network juncture as 
known to one of ordinary skill in the art. The aforementioned cover the limitations of 
claims 1-6. 

14. As per claims 8 and 11-15, Boneh discloses a method of managing and 
accelerating delivery of data implemented in a computer-readable storage medium and 
to process within a local networking environment of a client for performing the method, 
comprising: 

i. processing a local service of a proxy for communicating securely with the 
client and for acting on behalf of the client during interactions between the client 
and a remote site (fig. 4), wherein the local service processes within a local 
environment of the client and uses Secure Socket Layer (SSL) communications 
when interacting with the client (paragraph 26); managing authority from the 
remote site at the local service, wherein authority is managed by accessing a 
certificate of the remote site at the local service; 
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j. establishing a secure tunnel between the local service of the proxy and 

the client for interactions between the client and the local service (paragraph 51 , 

secure TLS session between the client and the web proxy); 

k. establishing another secure tunnel between the local service and the 

remote site for interactions between the local service and the remote site 

(paragraph 53, secure TLS session between the web proxy and the remote site); 

and 

I. caching, within the local service, data received from the remote site, and 
wherein portions of the data are sent to the client in order to service data 
requests made from the client to the remote site (paragraphs 46-54); 
m. initially transmitting a local service certificate to the remote site; and 
subsequently communicating securely between the local service and the remote 
site using the local service certificate and the certificate of the remote site 
(paragraph 53); 

n. establishing the proxy as a transparent proxy for the client (paragraph 47); 
o. inspecting at the proxy a secure request made from the client for the 
remote site; and transferring the secure request to the local service for 
processing (paragraph 52); 

p. wherein caching further includes housing the data in a decrypted format 
within cache of the local service (paragraph 54, caching services are performed 
on decrypted response); 
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q. wherein caching further includes sending the portions of the data from the 
cache to the client along with the certificate associated with the remote site 
(paragraph 49 and 54 [cache services]). 

1 5. Furthermore Boneh discloses that the web proxy presents itself to the client as 
the remote site by generating a server certificate at the web proxy and communicating 
the certificate to the user client. Secure communications between the client and the 
web proxy is established using the key inserted into the certificate (paragraph 45, "the 
browser is configured to accept this proxy-server certificate, the web proxy successfully 
binds the destination server name (www.xyz.com) to the proxy-generated proxy session 
public key, allowing the proxy to thereafter masquerade as the destination server 
www.xyz.com") 

16. Boneh does not expressly disclose that the local service acts as a reverse proxy 

on behalf of the remote site from the local environment of the client, whereby the remote 

site delegates data vending on behalf of the remote site to be managed and distributed 

by the local managing service from within the local processing environment of the client. 

Aziz discloses a method and apparatus for providing secure communications between a 

client and a server. When the client desires to establish a secure connection with the 

remote server, a first secure communication is established between the client and a 

relay, and a second secure communication is then established between the relay and 

the server. In particular, on col. 5, lines 1-22 and col. 8, lines 13-32, Aziz discloses 

Information stored on relay 220 is used to create the secure connection. 
When a server wishes to obtain advantages of the present invention in a 
manner that could be transparent to client 200, server 240 will have a trust 
relationship with (that is, be controlled by or even be owned by the same 
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entity as) relay 220. Therefore, server 240 will share its private key and 
certificate with relay 220 . When a client wishes to obtain advantages of 
the present invention in a manner that could be transparent to server 240, 
client 200 will have a trust relationship with relay 220, and client 200 will, 
e.g., accept the certificate of relay 220 as that of server 240 and provide 
an authentication token of client 200 to relay 220. Thereby, relay 220 may 
be inserted without access to the server's keys. This architecture could, 
for example, assist a programmer in diagnosing problems with a client's 
application that communicates with an HTTPS server (by convention a 
secure server address is given the prefix "https://") even when the server 
would not provide the programmer with access to the server's keys. When 
both client 200 and server 240 wish to achieve the advantages of the 
present invention in a manner known to each entity, each will provide 
appropriate information to relay 220. ... 

...Because relays 320 are trusted by server 340, server 340 provides each 
relay 320 with its security certificate and with its public and private key pair 
for use in an encryption/decryption process (step 910). Either prior to 
during, or in response to a client request for information from server 340, 
the secure connection program of relay 320 and the secure connection 
program of server 340 create an end-to-end security link 330 using a 
handshaking session (step 920). For example, using SSL, this link is 
established following a handshaking session similar to that described with 
regard to FIG. 1. For enhanced security, each end point (relay and 
server) authenticates one another using the relay's certificate and 
private/public key pair and the server's certificate and private/public key 
pair. The secure connection program of relay 320 and the secure 
connection program of server 340 could also create link 330 following a 
refresh handshaking session that occurs after an initial handshaking 
session. The refresh handshaking session could occur at a 
predetermined period based on an elapse of a predetermined time, 
transfer of a predetermined amount of information, etc. to provide 
replacement session keys and, thus, increased security. 



1 7. It would be obvious to one of ordinary skill in the art at the time the invention was 
made to modify the invention of Boneh such that that the web proxy acts as a reverse 
proxy on behalf of the remote site from the local environment of the client, whereby the 
remote site delegates data vending on behalf of the remote site to be managed and 



distributed by the local managing service from within the local processing environment 
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of the client. One would be motivated to do so to avoid performing intensive processing 
tasks such as generating private keys and digital certificates at a network juncture as 
known to one of ordinary skill in the art. The aforementioned cover the limitations of 
claims 8 and 11-15. 

18. As per claim 16-22, Boneh discloses a data management and acceleration 
delivery system implemented in computer-readable storage media and to process on 
devices of a network, the system comprising: 

r. a proxy; a local service accessible to the proxy; and a remote site external 
to the proxy, wherein the proxy directs secure requests received from a client for 
the remote site to the local service (fig. 4), the local service acts as a transparent 
proxy on behalf of the client and communicates securely with the client using 
Secure Socket Layer (SSL) communications (paragraph 26) via a first secure 
tunnel established by the proxy for interactions between the local service and the 
client, and the local service interacts securely with the remote site via a second 
secure tunnel established by the proxy for interactions between the local service 
and the remote site, the interactions between the local service and the remote 
site is to acquire data on behalf of the client, and wherein portions or all of the 
acquired data are cached within the local service and used to service requests 
made by the client from within a local environment of the client (paragraphs 46- 
54; in particular, in paragraph 51 , secure TLS session between the client and the 
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web proxy is established, and in paragraph 53, secure TLS session between the 
web proxy and the remote site is established); 

s. wherein the local service includes a certificate with an identity of the 
remote site which is vended to the client (paragraphs 37 and 49); 
t. wherein the local service and remote site mutually interact securely with 
one another by exchanging certificates with one another (paragraph 53); 
u. wherein the local service and the remote site sign communications 
occurring between them (in SSL client authentication and key exchange is 
performed via signature); 

v. wherein the client is a browser application (paragraph 46); 

w. wherein the browser is configured to contact the proxy when making 

requests directed to the remote site (paragraph 48); 

x. wherein the proxy intercepts requests made from the browser which are 
directed to the remote site and forwards the requests to the local service for 
handling the requests (paragraph 46). 
1 9. Furthermore Boneh discloses that the web proxy presents itself to the client as 
the remote site by generating a server certificate at the web proxy and communicating 
the certificate to the user client. Secure communications between the client and the 
web proxy is established using the key inserted into the certificate (paragraph 45, "the 
browser is configured to accept this proxy-server certificate, the web proxy successfully 
binds the destination server name (www.xyz.com) to the proxy-generated proxy session 
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public key, allowing the proxy to thereafter masquerade as the destination server 
www.xyz.com") 

20. Boneh does not expressly disclose that the local service acts as a reverse proxy 

on behalf of the remote site from the local environment of the client, whereby the remote 

site delegates data vending on behalf of the remote site to be managed and distributed 

by the local managing service from within the local processing environment of the client. 

Aziz discloses a method and apparatus for providing secure communications between a 

client and a server. When the client desires to establish a secure connection with the 

remote server, a first secure communication is established between the client and a 

relay, and a second secure communication is then established between the relay and 

the server. In particular, on col. 5, lines 1-22 and col. 8, lines 13-32, Aziz discloses 

Information stored on relay 220 is used to create the secure connection. 
When a server wishes to obtain advantages of the present invention in a 
manner that could be transparent to client 200, server 240 will have a trust 
relationship with (that is, be controlled by or even be owned by the same 
entity as) relay 220. Therefore, server 240 will share its private key and 
certificate with relay 220 . When a client wishes to obtain advantages of 
the present invention in a manner that could be transparent to server 240, 
client 200 will have a trust relationship with relay 220, and client 200 will, 
e.g., accept the certificate of relay 220 as that of server 240 and provide 
an authentication token of client 200 to relay 220. Thereby, relay 220 may 
be inserted without access to the server's keys. This architecture could, 
for example, assist a programmer in diagnosing problems with a client's 
application that communicates with an HTTPS server (by convention a 
secure server address is given the prefix "https://") even when the server 
would not provide the programmer with access to the server's keys. When 
both client 200 and server 240 wish to achieve the advantages of the 
present invention in a manner known to each entity, each will provide 
appropriate information to relay 220. ... 

...Because relays 320 are trusted by server 340, server 340 provides each 
relay 320 with its security certificate and with its public and private key pair 
for use in an encryption/decryption process (step 910). Either prior to 



Application/Control Number: 10/784,440 
Art Unit: 2432 



Page 16 



during, or in response to a client request for information from server 340, 
the secure connection program of relay 320 and the secure connection 
program of server 340 create an end-to-end security link 330 using a 
handshaking session (step 920). For example, using SSL, this link is 
established following a handshaking session similar to that described with 
regard to FIG. 1. For enhanced security, each end point (relay and 
server) authenticates one another using the relay's certificate and 
private/public key pair and the server's certificate and private/public key 
pair. The secure connection program of relay 320 and the secure 
connection program of server 340 could also create link 330 following a 
refresh handshaking session that occurs after an initial handshaking 
session. The refresh handshaking session could occur at a 
predetermined period based on an elapse of a predetermined time, 
transfer of a predetermined amount of information, etc. to provide 
replacement session keys and, thus, increased security. 



21 . It would be obvious to one of ordinary skill in the art at the time the invention was 
made to modify the invention of Boneh such that that the web proxy acts as a reverse 
proxy on behalf of the remote site from the local environment of the client, whereby the 
remote site delegates data vending on behalf of the remote site to be managed and 
distributed by the local managing service from within the local processing environment 
of the client. One would be motivated to do so to avoid performing intensive processing 
tasks such as generating private keys and digital certificates at a network juncture as 
known to one of ordinary skill in the art. The aforementioned cover the limitations of 
claims 16-22. 



22. As per claims 23-25, 27 and 28, Boneh discloses a data management and 
acceleration delivery system implemented in a computer-readable storage medium and 
to process on one or more devices of a network, the system comprising: 
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y. a proxy; and one or more local services directly accessible to the proxy, 
wherein the proxy acts as an intermediary between one or more clients and one 
or more remote sites (fig. 4), the proxy detects attempts made by the clients for 
establishing secure communications with the remote sites and based on the 
identities of a particular client and particular remote site identifies a particular 
local service, the particular local service communicates securely with the 
particular client, via Secure Socket Layer (SSL) (paragraph 26) communications 
as a transparent proxy to the particular client and via a first tunnel established by 
the proxy between the particular local service and the particular client, and the 
particular local service also securely communicates with the particular remote 
site via a second tunnel established by the proxy between the particular local 
service and the particular remote site, and wherein the particular local service 
caches data received from the particular remote site for purposes of servicing 
requests for portions of that data requested by the particular client and the 
cached data resides within local environments of the particular client (paragraphs 
46-54; in particular, in paragraph 51, secure TLS session between the client and 
the web proxy is established, and in paragraph 53, secure TLS session between 
the web proxy and the remote site is established); 

z. wherein each local service is associated with a unique one of the remote 
sites (paragraph 31); 
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aa. further comprising switching logic that intercepts requests from the clients 
which are directed to the remote sites and forwards them to the proxy (paragraph 
46); 

bb. wherein each of the local services includes a certificate associated with a 
unique one of the remote sites; wherein a number of the local services 
communicates securely with a number of the remote sites by initially exchanging 
mutual certificates (the invention operates via SSL or TLS). 

23. Furthermore Boneh discloses that the web proxy presents itself to the client as 
the remote site by generating a server certificate at the web proxy and communicating 
the certificate to the user client. Secure communications between the client and the 
web proxy is established using the key inserted into the certificate (paragraph 45, "the 
browser is configured to accept this proxy-server certificate, the web proxy successfully 
binds the destination server name (www.xyz.com) to the proxy-generated proxy session 
public key, allowing the proxy to thereafter masquerade as the destination server 
www.xyz.com") 

24. Boneh does not expressly disclose that the local service acts as a reverse proxy 
on behalf of the remote site from the local environment of the client, whereby the remote 
site delegates data vending on behalf of the remote site to be managed and distributed 
by the local managing service from within the local processing environment of the client. 
Aziz discloses a method and apparatus for providing secure communications between a 
client and a server. When the client desires to establish a secure connection with the 
remote server, a first secure communication is established between the client and a 
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relay, and a second secure communication is then established between the relay and 

the server. In particular, on col. 5, lines 1-22 and col. 8, lines 13-32, Aziz discloses 

Information stored on relay 220 is used to create the secure connection. 
When a server wishes to obtain advantages of the present invention in a 
manner that could be transparent to client 200, server 240 will have a trust 
relationship with (that is, be controlled by or even be owned by the same 
entity as) relay 220. Therefore, server 240 will share its private key and 
certificate with relay 220 . When a client wishes to obtain advantages of 
the present invention in a manner that could be transparent to server 240, 
client 200 will have a trust relationship with relay 220, and client 200 will, 
e.g., accept the certificate of relay 220 as that of server 240 and provide 
an authentication token of client 200 to relay 220. Thereby, relay 220 may 
be inserted without access to the server's keys. This architecture could, 
for example, assist a programmer in diagnosing problems with a client's 
application that communicates with an HTTPS server (by convention a 
secure server address is given the prefix "https://") even when the server 
would not provide the programmer with access to the server's keys. When 
both client 200 and server 240 wish to achieve the advantages of the 
present invention in a manner known to each entity, each will provide 
appropriate information to relay 220. ... 

...Because relays 320 are trusted by server 340, server 340 provides each 
relay 320 with its security certificate and with its public and private key pair 
for use in an encryption/decryption process (step 910). Either prior to 
during, or in response to a client request for information from server 340, 
the secure connection program of relay 320 and the secure connection 
program of server 340 create an end-to-end security link 330 using a 
handshaking session (step 920). For example, using SSL, this link is 
established following a handshaking session similar to that described with 
regard to FIG. 1. For enhanced security, each end point (relay and 
server) authenticates one another using the relay's certificate and 
private/public key pair and the server's certificate and private/public key 
pair. The secure connection program of relay 320 and the secure 
connection program of server 340 could also create link 330 following a 
refresh handshaking session that occurs after an initial handshaking 
session. The refresh handshaking session could occur at a 
predetermined period based on an elapse of a predetermined time, 
transfer of a predetermined amount of information, etc. to provide 
replacement session keys and, thus, increased security. 
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25. It would be obvious to one of ordinary skill in the art at the time the invention was 
made to modify the invention of Boneh such that that the web proxy acts as a reverse 
proxy on behalf of the remote site from the local environment of the client, whereby the 
remote site delegates data vending on behalf of the remote site to be managed and 
distributed by the local managing service from within the local processing environment 
of the client. One would be motivated to do so to avoid performing intensive processing 
tasks such as generating private keys and digital certificates at a network juncture as 
known to one of ordinary skill in the art. The aforementioned cover the limitations of 
claims 23-25, 27 and 28. 

Conclusion 

26. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

27. Bellwood et al. US 6,584,567 discloses a proxy establishing a secure 
communication between a client and a set of servers and further providing caching 
services. 

28. Chawla et al. US 7,137,143 discloses a secure reverse proxy establishing 
separate secure connections between a client and a web server and further providing 
caching services. 

29. "Secures Sockets Layer Discussion List FAQ v1 .1 .1 ," pg. 7 (entered 9/1 7/08) 
discloses establishing separate secure connections between a client and a Netscape 
Proxy server and between a Netscape Proxy server and an external server. 
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30. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Communications Inquiry 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to JUNG KIM whose telephone number is (571 )272-3804. 
The examiner can normally be reached on FLEX. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



/Jung Kim/ 

Primary Examiner, AU 2432 



